We use cookies to ensure we give you the best experience on our website. You can find out about our cookies and how to disable cookies in our Privacy Policy. If you continue to use this website without disabling cookies, we will assume you are happy to receive them. Close.

Definitions

A risk is an uncertain event that, if it occurs, has a positive or negative effect on a project’s objectives or outcome. A risk is defined by having both an impact and a probability, and should not be confused with uncertainty.

Risk management is the process by which project managers address risk by, at its most simple level, considering an events probability and impact, and by combining these two considerations, gain an appreciation of its importance. Then, by understanding the importance of a risk, a project manager is able to prioritise time and resources to addressing those risks with the greatest potential for loss.

The first step in developing a risk register is to identify all possible project risks. This can be done from reports and project documents, but bringing all the project team together at a risk workshop is usually considered to be the best approach. Risk workshops are held to identify all the risks associated with a project that could have an impact on cost, time or performance of the project. In addition, where possible, information from the team should be obtained on the impact of the risk and the probability of its occurrence as this will be required later.

It is also worth remembering that risks, both in terms of impact and probability can change over the life of the project. Finally, it is worth considering whether there is any correlation between risks. This allows the first element in the risk register, a description of the risk, to be prepared.

The risks that have been identified then need to be analysed for their probability and impact on the project (such as cost, time and resource).

There are two basic approaches, 'qualitative' and 'quantitative' risk analysis:

In a qualitative analysis, descriptive terms are used such as 'low Impact' and 'high probability'.

In a quantitative analysis, risks will have values attributed to them, such as 'an impact of £10m' or 'a probability of 65%'.

The approach adopted will be influenced by the information available. It is possible to mix qualitative and quantitative analysis, although care must be taken if doing this to ensure there is not an unintentional over focus on the quantitatively defined risks.

Finally, the analysis of probability and impact are combined into a single risk score. Again, this risk score can be presented quantitatively or qualitatively, with quantitative methods often using colours (green, amber and red) as well as words. Once again, this analysis is then entered into the risk register. Risks are often listed from highest to lowest score so as to more clearly highlight the priority risks.

The next task initially requires the highlighting of warning signs for each risk. Often this focuses on the priority risks. It is then necessary to identify a plan of action to bring about risk resolution. While there is an inevitable tendency to focus on negative threats, thought should also be given to more positive opportunities.

Those with a high risk score value will need action plans that respond with utmost urgency while those with a low risk score can simply be monitored without having a detailed action plan identified.

Risk mitigation seeks to reduce the probability of occurrence or impact of a risk to below an acceptable threshold through a proactive parallel management action taken in advance of a negative impact arising.

Risk transfer seeks to shift the impact of a threat to a third party, together with ownership of the response. However, care must be taken with this approach to ensure that there are no residual unaddressed risks left within the project from a retained correlated risk.

Risk avoidance is achieved by making changes to the actual project, to either eliminate the risk or to protect the project objectives from its impact. Generally, risk avoidance involves relaxing the time, cost, scope, or quality objectives.

Risk acceptance means there is no change to the project to deal with a risk, and is often a reflection that it has not been possible to identify an appropriate risk resolution strategy.

When developing risk resolution strategies, especially for the most critical risks, it is important to avoid reliance on a single control or counter measure.

As before, all the above information needs to be recorded within the risk register.

Allocating responsibility

The last step in developing a risk register is the allocation of an owner for each risk, and its associated monitoring and risk resolution plan.

While it is essential that all the above information is recorded in the risk register at the start of the project, it is equally important that the risk register is treated as a living document, being reviewed and updated on a regular basis.